lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 13 19:26:33 2006 From: Wu at AUX.UWM.EDU (Jacob Wu) Subject: repeated port 21 attempts I have received the suggestion that these attempts to connect to our ftp server are actually attempts to connect to some anti-virus ftp server for updates. This is quite probable given that: 1.) When our client has a 10.x.x.x address all dns requests resolve to the IP number of my server. 2.) After they register and have a "real" IP we switch them to a real DNS server. It is also possible that it could be a bot "calling home", but when we have brought the computers down to our office and scanned them ourselves we can't find anything on them. I'm going to call this one done since the "attacks" seem to go away once we give them a "real" IP. Thanks to all. -----Original Message----- From: Andrew Farmer [mailto:andfarm@...il.com] Sent: Tuesday, June 13, 2006 12:49 PM To: Jacob Wu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Re: [Full-disclosure] repeated port 21 attempts On 6/13/06, Jacob Wu <Wu@....uwm.edu> wrote: > They are all non routable 10.x.x.x IPs. This is for a residence hall at my > University. Residents, when they first turn on their computers, are given a > 10.x.x.x IP and made to register and agree with the network use policy. > Once they do that they are given a "real" IP and thus access to the > internet. Are you doing something weird with DNS that's making this one machine's address to show up on lookups, or messing with routing so that everything gets redirected to this box? If so, I'd wonder if this is some sort of bot that you're seeing that's trying to "call home" with FTP. It might behoove you to (kindly) ask the owner of one of the machines to let you take a look at their machine to see what it's doing. > Someone sent me this link: >> Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 > But it gives me less information than iptables does. You may have to modify it to better imitate an FTP server - it was written for use as a faux HTTP server. In particular, the client may be waiting for a banner and/or greeting before it makes a request.
Powered by blists - more mailing lists